<!DOCTYPE html>
<html lang="en">

<head>
	

	


	

	<!--trying to figure out the canonical url issue with blogs-->
	<link rel="canonical" href="https://cybersecurity.att.com/blogs/labs-research/blackcat-ransomware" />

	<title>BlackCat ransomware | AT&T Alien Labs</title>

	

		

	<meta property="og:site_name" value="AT&T Cybersecurity" />
	<meta property="og:title" content="BlackCat ransomware" />
	<meta property="og:url" content="https://cybersecurity.att.com/blogs/labs-research/blackcat-ransomware" />
	<meta property="og:image" content="https://cdn-cybersecurity.att.com/blog-content/Blog-Images/open-graph/malware_og.jpg" />
	<meta property="og:description" content="This blog was jointly written with Santiago Cortes.&nbsp;

Executive summary

AT&amp;T Alien Labs&trade; is writing this report about recently created ransomware malware dubbed BlackCat which was used in a January 2022 campaign against two international oil companies headquartered in Germany, Oiltanking and Mabanaft. The attack had little impact on end customers, but it does serve to remind the cybersecurity community of the potential for threat actors to continue attacks against critical infras" />
		

		<script type="text/javascript" src="https://cybersecurity.att.com/public/90407ce7cb00cc2f496a6233c9dc954522001624dcc5"  ></script><script type="text/javascript" src="https://platform-api.sharethis.com/js/sharethis.js#property=619c04ec1bd25500123c9511&product=inline-share-buttons" async="async"></script>

	<meta charset="utf-8">

<link rel="preconnect" href="https://cdn-cybersecurity.att.com" />
<link rel="preconnect" href="https://www.att.com" />
<link rel="preconnect" href="https://www.googletagmanager.com" crossorigin />
<link rel="preconnect" href="https://cdn.vidyard.com" crossorigin />
<link rel="preconnect" href="https://cdnjs.cloudflare.com" crossorigin />
<link rel="preconnect" href="https://www.google-analytics.com" crossorigin />
<link rel="preconnect" href="https://play.vidyard.com" crossorigin />
<link rel="preconnect" href="https://adservice.google.com" crossorigin />
<link rel="preconnect" href="https://www.facebook.com" crossorigin />
<link rel="preconnect" href="https://www.google.com" crossorigin />
<link rel="preconnect" href="https://px.ads.linkedin.com" crossorigin />


<style>.async-hide { opacity: 0 !important} </style>
<script>(function(a,s,y,n,c,h,i,d,e){s.className+=' '+y;h.start=1*new Date;
    h.end=i=function(){s.className=s.className.replace(RegExp(' ?'+y),'')};
    (a[n]=a[n]||[]).hide=h;setTimeout(function(){i();h.end=null},c);h.timeout=c;
})(window,document.documentElement,'async-hide','dataLayer',4000,
    {'GTM-WGVFC3T':true});</script>
<link rel="preload" as="script" href="https://cybersecurity.att.com/public/90407ce7cb00cc2f496a6233c9dc954522001624dcc5"/><link rel="preload" href="https://www.googleoptimize.com/optimize.js?id=GTM-WGVFC3T" as="script">
<script async src="https://www.googleoptimize.com/optimize.js?id=GTM-WGVFC3T"></script>


<script src="https://cdn-cybersecurity.att.com/js/v2/imports/top-bundle.min.js?v=20220322283940"></script>


<link rel="preload" href="https://www.att.com/scripts/adobe/prod/edmDataDefinition.js" as="script">
<link rel="preload" href="https://www.att.com/scripts/adobe/prod/edmDataManager.js" as="script">
<link rel="preload" href="https://www.att.com/scripts/adobe/prod/marketing.min.js" as="script">
<link rel="preload" href="https://www.att.com/scripts/adobe/prod/detm_adobe.js" as="script">
<link rel="preload" href="https://www.att.com/scripts/adobe/prod/engage.min.js" as="script">






<!-- Google Tag Manager -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-KLJDXJN');</script>
<!-- End Google Tag Manager -->
<script src='https://www.att.com/scripts/adobe/prod/detm-container-hdr.js' data-restrictions='target' type='text/javascript'></script>


<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="ahrefs-site-verification" content="a6fa0378625f72f89c6f290c3c7559ffee326fb9232cd87fcace798afce3e30d">
<meta name="google-site-verification" content="GTQZz4AGa47UtmP64oC5BB735pkyncjtISHOcQZbIho" />
<meta name="google-site-verification" content="dOSpKecfL6OVRkgr2KvddmhD-l-g3x8vlru1kmbqa9M" />

<link rel="preload" as="font" type="font/ttf" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/zero-width.ttf" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Bold.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Regular.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Light.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Medium.woff2" />


<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-LightItalic.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-BoldItalic.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-MediumItalic.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Italic.woff2" />
<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/aleck/ATTAleckSans-Black.woff2" />

<link rel="preload" as="font" type="font/woff2" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/css/fonts/glyphicons-halflings-regular.woff2" />
<link rel="preload" as="font" type="font/ttf" crossorigin="anonymous" href="https://cdn-cybersecurity.att.com/fonts/av-icons.ttf?e81fxl" />



<link rel="preload" as="style" href="https://cdn-cybersecurity.att.com/css/sass/main.min.css?v=20220322283940" />
<link rel="apple-touch-icon" sizes="144x144" href="https://cdn-cybersecurity.att.com/images/uploads/apple-touch-icon.png"/>
<link rel="icon" type="image/png" sizes="32x32" href="https://cdn-cybersecurity.att.com/images/uploads/favicon.ico"/>
<link rel="shortcut icon" href="https://cdn-cybersecurity.att.com/images/uploads/favicon.ico">
<link rel="manifest" href="https://cdn-cybersecurity.att.com/manifest.json">

<link rel="stylesheet" href="https://cdn-cybersecurity.att.com/css/sass/main.min.css?v=20220322283940" />








<script>
	var customAdobeTrackingPageLoadObj = {};
	if (typeof ddo !== "undefined") {initAdobePageTrackingHeader();}
	function adobeVideoCommenceVidyard(player) {
		var commenceEvent = {
			successFlag: 1,
			statusCode: 0,
			errorType: "Success_Admit",
			linkDestinationUrl: window.location.href,
			mediaId: player.uuid,
			mediaFriendlyName: player.metadata.name,
			videoType: "VOD",
			mediaPlayerName: "Vidyard",
			mediaCategory: "Security",
			mediaType: "Video",
			mediaClass: "Video",
			videoLengthTotal: player.metadata.length_in_seconds
		};
		if (typeof ddo !== "undefined") {
			ddo.pushEvent('video', 'Video_Commence', commenceEvent);
		}
	}
	function adobeVideoUpdateVidyard(player) {
		var updateEvent = {
			successFlag: 1,
			statusCode: 0,
			errorType: "Success_Admit",
			linkDestinationUrl: window.location.href,
			mediaId: player.uuid,
			mediaFriendlyName: player.metadata.name,
			videoType: "VOD",
			mediaPlayerName: "Vidyard",
			mediaCategory: "Security",
			mediaType: "Video",
			mediaClass: "Video",
			videoLengthTotal: player.metadata.length_in_seconds,
			videoLengthViewed: Math.floor(player.status.currentTime),
			videoProgressPercent: Math.ceil((player.status.currentTime / player.metadata.length_in_seconds) * 100)
		};
		if (typeof ddo !== "undefined") {
			ddo.pushEvent('video', 'Video_Update', updateEvent);
		}
	}

	function initAdobePageTrackingHeader() {
		ddo.disableAutoPageLoad();
		document.addEventListener('click', function (event) {
			var target = event.target;
			if (!target.href || !target.text) { return true; }
			var linkEvent = {
				slotFriendlyName: "link-click",
				contentFriendlyName: "Link Click",
				mediaCategory: "Security"
			};
			linkEvent.linkName = target.text;
			linkEvent.linkDestinationUrl = target.href;
			if (target.href.indexOf('#watch-') >= 0) {
				linkEvent.slotFriendlyName = 'watch-video';
				linkEvent.contentFriendlyName = 'Watch Video';
				linkEvent.linkName = 'Watch Video';
			}
			ddo.pushEvent("linkClick", "Link_Click", linkEvent);
		});
		
		customAdobeTrackingPageLoadObj['page.location.url'] = '/blogs/labs-research/blackcat-ransomware';


		
		
		    customAdobeTrackingPageLoadObj['page.category.siteSubSection1'] = 'blogs';
		


		
		
			customAdobeTrackingPageLoadObj['page.category.siteSubSection2'] = 'labs-research';
		



		
		
			customAdobeTrackingPageLoadObj['page.category.siteSubSection3'] = 'blackcat-ransomware';
		


		
		

		
		


		
			customAdobeTrackingPageLoadObj['page.media.objective'] = 'Awareness';
		

		
	}
</script>


<script type="text/javascript">
    var _elqQ = _elqQ || [];
    _elqQ.push(['elqSetSiteId', '1086385399']);

    _elqQ.push(['elqUseFirstPartyCookie', 'cyber-tracking.att.com']);

    _elqQ.push(['elqTrackPageView', window.location.href]);

    (function () {
        function async_load() {
            var s = document.createElement('script'); s.type = 'text/javascript'; s.async = true;
            s.src = '//img03.en25.com/i/elqCfg.min.js';
            var x = document.getElementsByTagName('script')[0]; x.parentNode.insertBefore(s, x);
        }
        if (window.addEventListener) window.addEventListener('DOMContentLoaded', async_load, false);
        else if (window.attachEvent) window.attachEvent('onload', async_load);
    })();
</script>


	<link rel="alternate" type="application/rss+xml" title="AlienVault Open Threat Exchange Blog" href="/site/blog-all-rss" />

	<style>


	.section-breadcrumb ol {
    margin-top: 0px !important;
    margin-bottom: 10px;
	}

	.flexible-layout .section-breadcrumb ol li a,
	.flexible-layout .section-breadcrumb ol li{
    	color: #000;
    	font-size: 12px;
	}

	.section-breadcrumb .glyphicon {
    font-size: 10px;
    line-height: 10px;
    font-weight: 300;
    color: #000!important;
	}

	.blog-author-info {
		width: 70%;
		float: left;
		color: #191919;
	}

	.blog-subscribe-grid ul {
		margin-left: 0px;
		margin-bottom: 0px;
		padding-left: 0px;
	}

	.blog-subscribe-grid ul li {
		list-style-type: none;
		line-height: 20px;
	}

	.blog-subscribe-grid ul li a {
		color: #c6ced5;
		font-size: 14px;
		text-decoration: none;
	}

	.blog-subscribe-grid ul li a:hover {
		text-decoration: underline;
	}

	.blog-content-area img {
		width: 100%!important;
		height: auto!important;
	}

	.blog-promo-item {
		clear: both;
		overflow: hidden;
		margin-bottom: 30px;
	}
	.promo-block .small {
		text-transform: uppercase;
	}

	.blog-promo-item-text {
		width: 345px;
		float: left;
		max-width:100%;
	}

	.blog-promo-item p {
		margin-bottom: 0px!important;
	}






	#blog-promo-block {
		padding-top: 20px;
	}



	/*promo block and sticky classes*/

	.sticky-sidebar {
		top: 147px;
		position: -webkit-sticky; /* Safari */
		position: sticky;
	}
	     .sidebar-search {
			 margin-bottom: 30px;
		 }

         .sidebar-search .search-button {
                width: 100%;
                position: relative;
            }

            .sidebar-search .search-button input {
                padding: 0px;
                margin: 2px 0px 0px 0px;
                position: absolute;
                background: url(https://cdn-cybersecurity.att.com/images/icn-sidebar-search.png) top left no-repeat;
                background-size: 25px 25px;
                width: 25px;
                height: 25px;
                cursor: pointer;
                text-indent: -9999em;
                border: none;
                left: 10px;
                top: 6px;
             }

			.sidebar-search .search-field input {
                border: 0;
                width: 100%;
                height: 30px;
                padding-left: 50px;
				margin-top: 5px;
            }

            .sidebar-search .search-field {
                border: 1px solid #CCCCCC;
                width: 100%;
                height: 40px;
            }

            #q::placeholder {
          		color: #767676!important;
            }

            #blog-subscribe-box {
			height:auto;
            padding: 32px;
            background-image: url('https://cdn-cybersecurity.att.com/images/uploads/backgrounds/blog-email-subscribe-bkg.jpg');
            background-size: cover;
            }

            #blog-subscribe-box h2 {
            color: #fff;
            font-size:32px;
            }

			#blog-subscribe-box p {
				margin-bottom: 10px;
			}






	@media (max-width: 991px) {
            .sidebar-search .search-button input {
                padding: 0px;
                background: transparent;
                cursor: pointer;
                text-indent: -9999em;
                border: none;
                right: 5px;
                top: 5px;
                padding-left: 0px;
             }

            .sidebar-search .search-field input {
             padding-left: 15px;
             }


            }

            	@media (min-width: 768px) and (max-width: 920px){
	.blog-subscribe-grid .btn {
		border-radius: 24px;
	    font-size: 12px;
	    line-height: 18px;
	    border: none;
	    padding: 6px 36px;
	    height: 30px;
	    font-weight: 500;
	}
}


		.blog-content-area p,
		.blog-content-area ul li,
		.blog-content-area ol li{
			font-size: 16px;
			line-height: 20px;
			font-weight: 400;
		}
		.blog-content-area ul li,
		.blog-content-area ol li {
			margin-bottom: 10px;
		}

		.blog-content-area {
		margin-top: 30px;
		}

		.flexible-layout .section-breadcrumb {
		margin-bottom: 30px;
		}

		.blog-detail h1 {
    		color: #000;
			background: transparent;
    		padding: 0px;
		}

		.blog-title-date-author-area {
			padding-bottom: 20px;
			border-bottom: #959595 1px solid;
		}

		.blog-body {
		padding-top: 20px;
		}


		.blog-detail .blog-categories {
    background-color: transparent;
    border-bottom: 1px solid #959595;
    border-top: 1px solid #959595;
    padding: 20px 0px 20px 0px;
    color: #000;
    margin: 30px 0px;
    font-size: 16px;
    line-height: 24px;
	font-weight: 400;
	}

	.blog-detail .blog-categories a {
	font-weight: 400;
	}

	.blog-share {
	margin-top: 60px;
	text-align: center;
	margin-bottom: 60px;
	}

	.blog-listing-social {
		display: block;
	}

	#st-1 .st-btn {
	  border-radius: 25px!important;
	  border: none;
	  cursor: pointer;
	  display: inline-block;
	  font-size: 12px;
	  height: 45px!important;
	  line-height: 40px!important;
	  margin-right: 8px;
	  padding: 0 10px;
	  position: relative;
	  text-align: center;
	  top: 0;
	  vertical-align: top;
	  white-space: nowrap;
	  margin-right: 20px!important;
	}

	#st-1 .st-btn > img {
	  display: inline-block;
	  height: 25px!important;
	  width: 25px!important;
	  position: relative;
	  top: 10px;
	  vertical-align: top;
	  }

	  #st-1 .st-btn[data-network='email'] {
	  	background-color: #e0752d!important;
	  }

	  .st-first {
	  	margin-left: 20px!important;
	  }

	</style>

</head>

	<body class="listing-blog-entry-id-7668">
			<!-- Google Tag Manager (noscript) -->
<noscript><iframe src='https://www.googletagmanager.com/ns.html?id=GTM-KLJDXJN'
height='0' width='0' style='display:none;visibility:hidden'></iframe></noscript>
<!-- End Google Tag Manager (noscript) -->
<script src='https://www.att.com/scripts/adobe/prod/detm-container-ftr.js' type='text/javascript'></script>


		<header id="header" class="navbar navbar-fixed-top">

	<style>
@media (max-width: 543px) {
	.hide-on-mobile {
		display: none;
	}
}
</style>

<div id="news-banner">
    <div class="container-fluid">
        <div class="row vcenter">
            <div class="col-sm-12">

                <div id="news-headline-link">
					<a href="/products/strategy-and-roadmap/sase-readiness" class="text-white">
						Start your SASE readiness consultation today.
						<span class="hide-on-mobile">Learn more</span> &LongRightArrow;
					</a>
                </div>
				<div id="search-contact">
					<ul class="list-unstyled header_nav_top_list">
						<li class="header_nav_top_list_item"><a id="top-nav-support" href="/support">Support</a></li>
						<li class="header_nav_top_list_item"><a id="top-nav-contact" href="/contact">Contact</a></li>
						<li class="header_nav_top_list_item search">
							<form action="/search-results" method="get" id="top-search-form" __bizdiag="113" __biza="WJ__"><input name="q" id="top-search-form-text" type="text" placeholder="Search" aria-label="Search"><button type="submit"><span class="glyphicon glyphicon-search"></span></button></form>

						</li>
					</ul>
				</div>
            </div>
        </div>
    </div>
</div>






	<div id="header-container" class="container-fluid">
		<div id="header-logo">
			<div class="logo-globe"><a href="https://business.att.com" target="_blank"><img src="https://cdn-cybersecurity.att.com/images/uploads/logos/att-globe.svg" alt="AT&amp;T Business" /></a></div>
			<div class="att-business"><a href="https://business.att.com" target="_blank"><img src="https://cdn-cybersecurity.att.com/images/uploads/logos/att-business-web.svg" alt="AT&amp;T Business" /></a></div>
			<div class="att-cybersecurity"><a href="/"><img src="https://cdn-cybersecurity.att.com/images/uploads/logos/att-cybersecurity-web.svg" alt="AT&amp;T Cybersecurity" /></a></div>
		</div>

		<button type="button" class="header_toggle_nav navbar-toggle collapsed" data-toggle="collapse" data-target="#header-nav" aria-expanded="false">
			<span class="sr-only">Toggle navigation</span>
			<span class="avicon avicon-bars"></span>
			<span class="avicon avicon-close"></span>
		</button>
		
		
			<a href="/contact" id="header-cta" class="hidden-md hidden-lg btn btn-blue btn-sm">Contact us</a>
		

		<nav class="navbar-collapse collapse" id="header-nav">
			<ul class="nav navbar-nav list-unstyled">
				<li class="nav-item mobile-search visible-sm visible-xs">
					<form action="/search-results" method="get" id="mobile-search-form" __bizdiag="113" __biza="WJ__"><input name="q" id="mobile-search-form-text" type="text" placeholder="Search" aria-label="Search"><button type="submit"><span class="glyphicon glyphicon-search"></span></button></form>
				</li>
				<li class="nav-item has-dd products">
					<a id="main-nav-products" href="/products" class="dropdown-toggle" data-toggle="collapse" role="button" aria-expanded="false" data-target="#products-dd">Products<span class="glyphicon glyphicon-chevron-up"></span><span class="glyphicon glyphicon-chevron-down"></span>
					</a>
					<div class="nav-dropdown collapse" id="products-dd">
						<div class="dd-multi-col container-fluid">
							<ul class="list-unstyled sub-nav">
									<li id="first-sub-cyber-strategy-risk"><a href="/categories/cybersecurity-consulting-services" class="first-level">Cybersecurity Consulting Services</a>
										<div class="desktop-subnav open">
											<ul class="list-unstyled">
												<li class="second-sub-heading">Cyber Strategy</li>
												<li class="second-sub-link"><a href="/products/strategy-and-roadmap">Strategy and Roadmap Planning</a></li>

												<li class="second-sub-link"><a href="/products/security-assessment">Enterprise Security Assessment Services</a></li>
												<li class="second-sub-link"><a href="/products/risk-based-cyber-posture-assessment">Risk-based Cyber Posture Assessment</a></li>
											</ul>
											<ul class="list-unstyled">
												<li class="second-sub-heading">Risk and Compliance</li>
												<li class="second-sub-link"><a href="/products/security-compliance">Security Compliance</a></li>
											</ul>
											<ul class="list-unstyled">
												<li class="second-sub-heading">Vulnerability and Threat Management</li>
												<li class="second-sub-link"><a href="/products/managed-vulnerability-program">Managed Vulnerability Program</a></li>
												<li class="second-sub-link"><a href="/products/penetration-testing-services">Penetration Testing</a></li>
												<li class="second-sub-link"><a href="/products/adversary-simulation-service">Adversary Simulation Services</a></li>
												<li class="second-sub-link"><a href="/products/incident-response">Incident Response Services</a></li>
											</ul>
											<ul class="list-unstyled">
												<li class="second-sub-heading">CSO Advisory Services</li>
												<li class="second-sub-link"><a href="/products/cybersecurity-iq-training">Cybersecurity IQ Training</a></li>
											</ul>
										</div>
										<div class="mobile-subnav">
											<ul class="list-unstyled sub-nav">
												<li class="second-sub-link"><a href="/products/strategy-and-roadmap">Strategy and Roadmap Planning</a></li>
												<li class="second-sub-link"><a href="/products/security-assessment">Enterprise Security Assessment Services</a></li>
												<li class="second-sub-link"><a href="/products/risk-based-cyber-posture-assessment">Risk-based Cyber Posture Assessment</a></li>

												<li class="second-sub-link"><a href="/products/security-compliance">Security Compliance</a></li>

												<li class="second-sub-link"><a href="/products/managed-vulnerability-program">Managed Vulnerability Program</a></li>

												<li class="second-sub-link"><a href="/products/penetration-testing-services">Penetration Testing</a></li>
												<li class="second-sub-link"><a href="/products/adversary-simulation-service">Adversary Simulation Services</a></li>
												<li class="second-sub-link"><a href="/products/incident-response">Incident Response Services</a></li>
												<li class="second-sub-link"><a href="/products/cybersecurity-iq-training">Cybersecurity IQ Training</a></li>
											</ul>
										</div>
									</li>
                                    <li id="first-sub-managed-security-services"><a href="/categories/managed-security-services" class="first-level">Managed Security Services</a>
                                        <div class="desktop-subnav">
                                            <ul class="list-unstyled">
                                                <li class="second-sub-heading">Network Security</li>
												<li class="second-sub-link"><a href="/products/secure-web-gateway">Secure Web Gateway</a></li>
												<li class="second-sub-link"><a href="/products/secure-remote-access">Secure Remote Access</a></li>
                                                <li class="second-sub-link"><a href="/products/sase-branch-with-fortinet">SASE Branch with Fortinet</a></li>
												<li class="second-sub-link"><a href="/products/sase-with-palo-alto-networks">SASE with Palo Alto Networks</a></li>
                                                <li class="second-sub-link"><a href="/products/reactive-ddos-services">Reactive Distributed Denial of Service Defense</a></li>
                                                <li class="second-sub-link"><a href="/categories/network-security">View All</a></li>
                                            </ul>
                                            <ul class="list-unstyled">
                                                <li class="second-sub-heading">Threat Detection</li>
                                                <li class="second-sub-link"><a href="/products/managed-threat-detection-and-response">Managed Threat Detection and Response</a></li>
                                            </ul>
                                            <ul class="list-unstyled">
                                                <li class="second-sub-heading">Endpoint Security</li>
                                                <li class="second-sub-link"><a href="/products/sentinel-one">SentinelOne</a></li>
                                                <li class="second-sub-link"><a href="/products/mobile-iron">MobileIron</a></li>
                                                <li class="second-sub-link"><a href="/products/lookout">Lookout Mobile Endpoint Security</a></li>
                                            </ul>

                                        </div>
                                        <div class="mobile-subnav">
                                            <ul class="list-unstyled sub-nav">
												<li class="second-sub-link"><a href="/products/secure-web-gateway">Secure Web Gateway</a></li>
												<li class="second-sub-link"><a href="/products/secure-remote-access">Secure Remote Access</a></li>
                                                <li class="second-sub-link"><a href="/products/sase-branch-with-fortinet">SASE Branch with Fortinet</a></li>
												<li class="second-sub-link"><a href="/products/sase-with-palo-alto-networks">SASE with Palo Alto Networks</a></li>
                                                <li class="second-sub-link"><a href="/products/reactive-ddos-services">Reactive Distributed Denial of Service Defense</a></li>
                                                <li class="second-sub-link"><a href="/products/managed-threat-detection-and-response">Managed Threat Detection and Response</a></li>
                                                <li class="second-sub-link"><a href="/products/sentinel-one">SentinelOne</a></li>
                                                <li class="second-sub-link"><a href="/products/mobile-iron">MobileIron</a></li>
                                                <li class="second-sub-link"><a href="/products/lookout">Lookout Mobile Endpoint Security</a></li>
                                            </ul>
                                        </div>
                                    </li>
									<li id="first-sub-network-security"><a href="/categories/network-security" class="first-level">Network Security</a>
										<div class="desktop-subnav">
											<ul class="list-unstyled">
												<li class="second-sub-heading">AT&T Trusted Internet Access</li>
												<li class="second-sub-link"><a href="/products/secure-web-gateway">Secure Web Gateway</a></li>
												<li class="second-sub-link"><a href="/products/secure-remote-access">Secure Remote Access</a></li>
												<li class="second-sub-link"><a href="/products/network-based-firewall">Network Based Firewalls</a></li>
												<li class="second-sub-link"><a href="/products/premises-based-firewall">Premises Based Firewalls</a></li>
												<li class="second-sub-link"><a href="/products/enhanced-access-security">Enhanced Cybersecurity Services</a></li>
											</ul>
											<ul class="list-unstyled">
												<li class="second-sub-heading">AT&T Infrastructure and Application Protection</li>
												<li class="second-sub-link"><a href="/products/reactive-ddos-services">Reactive Distributed Denial of Service Defense</a></li>
												<li class="second-sub-link"><a href="/products/application-layer-security">AT&T Application Layer Security</a></li>
											</ul>
										</div>
										<div class="mobile-subnav">
											<ul class="list-unstyled sub-nav">
												<li class="second-sub-heading">AT&T Trusted Internet Access</li>
												<li class="second-sub-link"><a href="/products/secure-web-gateway">Secure Web Gateway</a></li>
												<li class="second-sub-link"><a href="/products/secure-remote-access">Secure Remote Access</a></li>
												<li class="second-sub-link"><a href="/products/network-based-firewall">Network Based Firewalls</a></li>
												<li class="second-sub-link"><a href="/products/premises-based-firewall">Premises Based Firewalls</a></li>
												<li class="second-sub-link"><a href="/products/enhanced-access-security">Enhanced Cybersecurity Services</a></li>

												<li class="second-sub-heading">AT&T Infrastructure and Application Protection</li>
												<li class="second-sub-link"><a href="/products/reactive-ddos-services">Reactive Distributed Denial of Service Defense</a></li>
												<li class="second-sub-link"><a href="/products/application-layer-security">AT&T Application Layer Security</a></li>
											</ul>
										</div>
									</li>
									<li id="first-sub-unified-endpoint"><a href="/categories/endpoint-security" class="first-level">Endpoint Security</a>
										<div class="desktop-subnav">
											<ul class="list-unstyled">
												<li class="second-sub-heading">Endpoint Security</li>
												<li class="second-sub-link"><a href="/products/sentinel-one">SentinelOne</a></li>
												<li class="second-sub-link"><a href="/products/mobile-iron">MobileIron</a></li>
												<li class="second-sub-link"><a href="/products/vmware">VMware Workspace ONE®</a></li>
												<li class="second-sub-link"><a href="/products/ibm-maas360">IBM MaaS360</a></li>
												<li class="second-sub-link"><a href="/products/lookout">Lookout Mobile Endpoint Security</a></li>
												<li class="second-sub-link"><a href="/products/mcafee-endpoint-protection">McAfee Endpoint Protection</a></li>
												<li class="second-sub-link"><a href="/products/samsung-knox-manage">Samsung Knox</a></li>

											</ul>
										</div>
										<div class="mobile-subnav">
											<ul class="list-unstyled sub-nav">
													<li class="second-sub-link"><a href="/products/sentinel-one">SentinelOne</a></li>
													<li class="second-sub-link"><a href="/products/mobile-iron">MobileIron</a></li>
													<li class="second-sub-link"><a href="/products/vmware">VMware Workspace ONE®</a></li>
													<li class="second-sub-link"><a href="/products/ibm-maas360">IBM MaaS360</a></li>
													<li class="second-sub-link"><a href="/products/lookout">Lookout Mobile Endpoint Security</a></li>
													<li class="second-sub-link"><a href="/products/mcafee-endpoint-protection">McAfee Endpoint Protection</a></li>
													<li class="second-sub-link"><a href="/products/samsung-knox-manage">Samsung Knox</a></li>

											</ul>
										</div>
									</li>
									<li id="first-sub-threat-detection-response"><a href="/categories/threat-detection-and-response" class="first-level">Threat Detection and Response</a>
										<div class="desktop-subnav">

											<ul class="list-unstyled sub-nav">
												<li class="second-sub-heading">AT&T Threat Solutions</li>
												<li class="second-sub-link"><a href="/products/managed-threat-detection-and-response">Managed Threat Detection and Response</a></li>
												<li class="second-sub-link"><a href="/products/threat-detection-and-responses-for-government">Threat Detection and Response for Government</a></li>
												<li class="second-sub-link"><a href="/products/usm-anywhere">USM Anywhere</a></li>
												<li class="second-sub-link"><a href="/products/usm-anywhere-advisors">USM Anywhere Advisors</a></li>
												<li class="second-sub-link"><a href="/products/usm-for-mssp">XDR for MSSPs</a></li>
											</ul>

											<div id="products-tdr-menu-image">
												<a href="/alien-labs">
													<img src="https://cdn-cybersecurity.att.com/images/uploads/icons/alien-labs.svg" alt="">
													<p >Powered by<br>AT&amp;T Alien Labs</p>
												</a>
											</div>
										</div>
										<div class="mobile-subnav">
											<ul class="list-unstyled sub-nav">

												<li class="second-sub-heading">AT&T Threat Solutions</li>
												<li class="second-sub-link"><a href="/products/managed-threat-detection-and-response">Managed Threat Detection and Response</a></li>
												<li class="second-sub-link"><a href="/products/threat-detection-and-responses-for-government">Threat Detection and Response for Government</a></li>

												<li class="second-sub-link"><a href="/products/usm-anywhere">USM Anywhere</a></li>
												<li class="second-sub-link"><a href="/products/usm-anywhere-advisors">USM Anywhere Advisors</a></li>
												<li class="second-sub-link"><a href="/products/usm-for-mssp">XDR for MSSPs</a></li>

												</ul>
										</div>
									</li>

							</ul>
						</div>
						<!--<div class="dd-bottom visible-lg" id="view-all-products">
							<div class="container-fluid">
								<a href="/products">
									<span class="view-all-text">View All Products &LongRightArrow;</span>
								</a>
							</div>
						</div>-->
					</div>
				</li>
				<li class="nav-item has-dd solutions">
					<a id="main-nav-solutions" href="/solutions" class="dropdown-toggle" data-toggle="collapse" role="button" aria-expanded="false" data-target="#solutions-dd">Solutions<span class="glyphicon glyphicon-chevron-up"></span><span class="glyphicon glyphicon-chevron-down"></span></a>
					<div class="nav-dropdown collapse" id="solutions-dd">
						<div class="dd-multi-col container-fluid">
							<ul class="list-unstyled sub-nav hidden-md hidden-lg">
								<li><a id="main-nav-see-all-solutions-mobile" href="/solutions" class="header_nav_link">See All Solutions</a></li>
							</ul>
							<div id="compliance">
								<div class="menu-header">Compliance</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/solutions/it-compliance-management">Overview</a></li>
									<li><a href="/solutions/gdpr-compliance">GDPR</a></li>
									<li><a href="/solutions/hipaa-compliance">HIPAA</a></li>
									<li><a href="/solutions/iso-27001-compliance">ISO 27001</a></li>
									<li><a href="/solutions/pci-dss-compliance">PCI DSS</a></li>
									<li><a href="/solutions/soc-2-compliance">SOC 2</a></li>
								</ul>
							</div>
							<div id="industry">
								<div class="menu-header">Industry</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/solutions/education">Education</a></li>
									<li><a href="/solutions/energy-sector-security">Energy Sector</a></li>
									<li><a href="/solutions/government">Federal</a></li>
									<li><a href="/solutions/financial-services">Financial Services</a></li>
									<li><a href="/solutions/healthcare">Healthcare</a></li>
									<li><a href="/solutions/manufacturing">Manufacturing</a></li>
									<li><a href="/partners/mssp-program">MSSPs</a></li>
									<li><a href="/solutions/retail">Retail</a></li>
								</ul>
							</div>
							<div id="environment">
								<div class="menu-header">Environment</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/solutions/5g-security-solutions">5G</a></li>
									<li><a href="/solutions/aws-security-and-compliance-management">AWS</a></li>
									<li><a href="/solutions/azure-security-and-compliance-management">Azure</a></li>
									<li><a href="/solutions/cloud-security">Cloud</a></li>
									<li><a href="/solutions/iot-and-mobility-security">IOT/Mobility</a></li>
									<li><a href="/solutions/hybrid-cloud-security">Hybrid</a></li>
									<li><a href="/solutions/network-security">Network</a></li>
									<li><a href="/solutions/remote-workforce-security">Remote Workforce</a></li>

								</ul>
							</div>
							<div id="core-capabilities">
								<div class="menu-header">Security Use Cases</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/solutions/intrusion-detection-system">Intrusion Detection</a></li>
									<li><a href="/solutions/secure-access-service-edge">Secure Access Service Edge</a></li>
									<li><a href="/solutions/secure-web-gateway">Secure Web Gateway</a></li>
									<li><a href="/solutions/siem-platform-solutions ">SIEM Platform Solutions</a></li>
									<li><a href="/solutions/extended-detection-and-response">XDR</a></li>
									<li><a href="/solutions/zero-trust-architecture">Zero Trust Architecture</a></li>

								</ul>
							</div>
						</div>
						<div class="dd-bottom visible-md visible-lg" id="view-all-solutions">
							<div class="container-fluid">
								<a href="/solutions">
									<span class="view-all-text">View All Solutions &LongRightArrow;</span>
								</a>
							</div>
						</div>
					</div>
				</li>
				<li class="nav-item has-dd partners">
					<a id="main-nav-partners" href="/partners" class="dropdown-toggle" data-toggle="collapse" role="button" aria-expanded="false" data-target="#partners-dd">Partners<span class="glyphicon glyphicon-chevron-up"></span><span class="glyphicon glyphicon-chevron-down"></span></a>
					<div class="nav-dropdown collapse" id="partners-dd">
						<div class="dd-multi-col container-fluid">
							<ul class="list-unstyled sub-nav hidden-md hidden-lg">
								<li><a id="main-nav-partners-mobile" href="/partners/become-a-partner">Become a Partner</a></li>
							</ul>
							<div id="become-a-partner">
								<div class="menu-header">Become a Partner</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/partners">All Partner Programs</a></li>
									<li><a href="/partners/mssp-program">MSSP Program</a></li>
									<li><a href="/partners/resellers">Reseller Program</a></li>
									<li><a href="/partners/partner-portal/">Partner Portal Login</a></li>
								</ul>
							</div>

							<div id="find-a-partner">
								<div class="menu-header">Find a Partner</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/partners/find-partner">Find an MSSP</a></li>
									<li><a href="/partners/locator">Find a Reseller</a></li>
									<li><a href="/partners/certified-implementation-partners">Professional Services</a></li>
								</ul>
							</div>
							<div id="technology-partners">
								<div class="menu-header">Technology Partners</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/app">USM Anywhere Integrations</a></li>
									<li><a href="/partners/technology-partners">OTX Partners</a></li>
								</ul>
							</div>
						</div>
						<div class="dd-bottom visible-md visible-lg" id="view-all-partners">
							<div class="container-fluid">
								<a href="/partners/become-a-partner">
									<span class="view-all-text">Become a Partner &LongRightArrow;</span>
								</a>
							</div>
						</div>
					</div>
				</li>
				<li class="nav-item has-dd resources">
					<a id="main-nav-resources" href="/resource-center#language_en" class="dropdown-toggle" data-toggle="collapse" role="button" aria-expanded="false" data-target="#resources-dd">Resources<span class="glyphicon glyphicon-chevron-up"></span><span class="glyphicon glyphicon-chevron-down"></span></a>
					<div class="nav-dropdown collapse" id="resources-dd">
						<div class="dd-multi-col container-fluid">

							<div id="resources-menu-image" class="visible-lg">
								<img src="https://cdn-cybersecurity.att.com/images/uploads/thehub-thumbnail.jpg">
								<p>Explore The Hub, our home for all virtual experiences</p>
								<a href="https://hub.att.com/expo-hall/cybersecurity/">Explore now ⟶</a>
							</div>

							<ul class="list-unstyled sub-nav hidden-md hidden-lg">
								<li><a id="main-nav-resources-mobile" href="/resource-center#language_en">View All Resources</a></li>

							</ul>

							<div id="product-resources">
								<div class="menu-header">Product Resources</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/resource-center#content_customer-stories">Customer Stories</a></li>
									<li><a href="/resource-center#content_product-brief">Product Briefs</a></li>
									<li><a href="/resource-center#content_product-demo">Product Demos</a></li>
									<li><a href="/resource-center#content_product-review">Product Reviews</a></li>
									<li><a href="/resource-center#content_solution-brief">Solution Briefs</a></li>
									<li><a href="/resource-center#content_use-cases">Use Cases</a></li>

									<li><a id="free-trial" href="/products/usm-anywhere/free-trial">Free Trial</a></li>
								</ul>
							</div>
							<div id="security-resources">
								<div class="menu-header">Security Resources</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/resource-center#content_analyst-reports">Analyst Reports</a></li>
									<li><a href="/blogs">Blogs</a></li>
									<li><a href="/resource-center#content_ebook">eBooks</a></li>
									<li><a href="/resource-center#content_video">Videos</a></li>
									<li><a href="/resource-center#content_webcast">Webcasts</a></li>
									<li><a href="/resource-center#content_white-paper">White Papers</a></li>
									<li><a href="/resource-center#content_industry-reports">Industry Reports</a></li>
								</ul>
							</div>
							<div id="customer-resources">
								<div class="menu-header">Customer Resources</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="https://success.alienvault.com/">Success Center</a></li>
									<li><a href="/certification">Certification</a></li>
									<li><a href="/customer-success">Customer Success</a></li>
									<li><a href="/documentation">Documentation</a></li>
									<li><a href="/partners/certified-implementation-partners">Professional Services</a></li>
									<li><a href="/support">Support Overview</a></li>
									<li><a href="/training">Training</a></li>
								</ul>
							</div>
							<div id="browse-by-topic">
								<div class="menu-header">Browse by Topic</div>
								<ul class="list-unstyled sub-nav">
									<li><a href="/resource-center#category_incident-response">Incident Response</a></li>
									<li><a href="/resource-center#category_intrusion-detection">Intrusion Detection</a></li>
									<li><a href="/resource-center#category_partner-mssp-reseller">Partner: MSSP &amp; Reseller</a></li>
									<li><a href="/resource-center#category_regulatory-compliance">Regulatory Compliance</a></li>
									<li><a href="/resource-center#category_soc">Security Operations Center</a></li>
									<li><a href="/resource-center#category_siem-log-management">SIEM &amp; Log Management </a></li>
									<li><a href="/resource-center#category_threat-detection">Threat Detection</a></li>
									<li><a href="/resource-center#category_threat-intelligence">Threat Intelligence</a></li>
								</ul>
							</div>
						</div>

						<div class="dd-bottom visible-md visible-lg" id="view-all-resources">
							<div class="container-fluid">
								<a href="/resource-center#language_en">
									<span class="view-all-text">View All Resources &LongRightArrow;</span>
								</a>
							</div>
						</div>

					</div>
				</li>
				<li class="nav-item alien-labs">
					<a id="main-nav-alien-labs" href="/alien-labs" class="">AT&T Alien Labs</a>
				</li>
				<li class="nav-item visible-sm visible-xs">
					<a id="main-nav-contact" href="/contact">Contact</a>
				</li>
				<li class="nav-item support visible-sm visible-xs">
					<a id="main-nav-support" href="/support">Support</a>
				</li>

			</ul>
		</nav>

	</div>

	<div class="container-fluid visible-md visible-lg">
		
		
			<a id="main-nav-free-tools" class="header-nav-btn btn margin-bottom10" href="/pricing/request-quote">Get price</a>
		


	</div>
</header>

						




			<main class="blog-detail flexible-layout">
		<section id="blog-top-subnav" class="blog-subnav">
	<div class="blog-top-subnav-wrap">
		<div class="container-fluid">
			<div class="row">
				<ul id="blog-top-subnav-list">
					<li>Categories:</li>
					<li class=""><a href="/blogs">All
							blogs</a></li>
					<li class=""><a
							href="/blogs/security-essentials">Security essentials</a></li>
					<li class="active"><a href="/blogs/labs-research">AT&T Alien
							Labs research</a></li>
				</ul>
				<div class="blog-search search hidden visible-lg visible-md">
					<form action="/search-results" method="get" id="blog-search-form" __bizdiag="113" __biza="WJ__">
						<input name="q" id="blog-search-form-text" type="text" placeholder="Search"
							aria-label="Search"><button type="submit"><span
								class="glyphicon glyphicon-search"></span></button></form>
				</div>
				<div class="blog-top-subnav-mobile-wrap clearfix">
					<a href="#" class="ddm-toggle collapsed" data-toggle="collapse"
						data-target="#blog-top-subnav-mobile">Categories <i class="down"></i></a>
					<ul id="blog-top-subnav-mobile" class="collapse">
						<li class=""><a href="/blogs">All
								blogs</a></li>
						<li class=""><a
								href="/blogs/security-essentials">Security essentials</a></li>
						<li class="active"><a href="/blogs/labs-research">AT&T
								Alien Labs research</a></li>
						<li>
							<div class="blog-search search margin-bottom20">
								<form action="/search-results" method="get" id="blog-search-form" __bizdiag="113"
									__biza="WJ__"><input name="q" id="blog-search-form-text" type="text"
										placeholder="Search" aria-label="Search"><button type="submit"><span
											class="glyphicon glyphicon-search"></span></button></form>
							</div>
						</li>
					</ul>
				</div>
			</div>
		</div>
	</div>
</section>

<style>
	

	/* for snap scrolling */
	.blog-subnav {
		position: relative;
		min-height: 0 !important;
    	height: 40px;
	}
	@media (max-width:991px) {
		.blog-subnav {
			height: 60px;
			line-height:60px;
		}

	}

	.blog-top-subnav-wrap {
		position: relative;
		margin-right: 0px;
		background: #f2f2f2;
	}

	.blog-top-subnav-wrap.affix {
		position: fixed;
		width: 100%;
		top: 0;
		left: 0;
	}

	.blog-top-subnav-wrap.transition-primary {
		overflow: hidden;
		-webkit-transition: transform .3s ease;
		transition: transform .3s ease;
	}

	.blog-top-subnav-wrap.transition-primary.scroll-affix {
		transform: translateY(0) !important;
	}


	.hh .blog-top-subnav-wrap.affix.transition-primary {
		height: auto;
	}

	.hh .blog-top-subnav-wrap {
		min-height: auto;
	}

	.hh .blog-top-subnav-wrap {
		position: relative;
		transform: translateY(0);
	}

	.hh .blog-top-subnav-wrap.affix {
		position: fixed;
		width: 100%;
		top: 0;
		left: 0;
	}

	.hh .blog-top-subnav-wrap.transition-primary {
		transform: translateY(-110px);
		-webkit-transform: translateY(-110px);
	}

	.hh .blog-top-subnav-wrap.scroll-affix {
		transform: translateY(0);
		-webkit-transform: translateY(0);
		z-index: 998;
	}
</style>

				<section class="full-width-block">

					<div class="container-fluid">

						<div class="row flx-container">
							<div class="col-sm-7">
								<div class="blog-content-area">
									<div class="section-breadcrumb">
										  <ol class="m-bread-crumb-list l-bread-crumb-list" itemscope="" itemtype="http://schema.org/BreadcrumbList">

											  <li itemprop="itemListElement" itemscope="" itemtype="http://schema.org/ListItem">
												  <a itemprop="item" href="https://cybersecurity.att.com">
													  <span itemprop="name" style="padding-right: 10px;">AT&T Cybersecurity</span> <span class="glyphicon glyphicon-chevron-right"></span></a>
												  <meta itemprop="position" content="1">
											  </li>
											  <li itemprop="itemListElement" itemscope="" itemtype="http://schema.org/ListItem">
												  <a itemprop="item" href="https://cybersecurity.att.com/blogs">
													  <span itemprop="name" style="padding-left: 10px;">Blog</span></a>
												  <meta itemprop="position" content="2">
											  </li>
										  </ol>
									  </div>
									<div class="blog-title-date-author-area">
										<h1>BlackCat ransomware</h1>
										<div class="date">February 25, 2022 &nbsp;|&nbsp; <a href="/blogs/author/fmartinez">Fernando Martinez</a></div>
									</div>
									<div class="blog-body">
										<p><em>This blog was jointly written with Santiago Cortes.&nbsp;</em></p>

<h2>Executive summary</h2>

<p>AT&amp;T Alien Labs&trade; is writing this report about recently created ransomware malware dubbed BlackCat which was used in a January 2022 campaign against two international oil companies headquartered in Germany, Oiltanking and Mabanaft. The attack had little impact on end customers, but it does serve to remind the cybersecurity community of the potential for threat actors to continue attacks against critical infrastructure globally.</p>

<h2>Key takeaways:</h2>

<ul>
	<li>The ransomware BlackCat is coded in Rust and was created in November 2021.</li>
	<li>Following trends observed last year by Alien Labs, the ransomware targets multiple platforms&nbsp;(Windows and Linux), and it uses additional code to infect VMware&rsquo;s ESXi hypervisor.</li>
	<li>Blackcat uses a &ldquo;wall of shame&rdquo; website to both blackmail victims, prove, and promote their latest campaigns publicly.</li>
	<li>Campaigns remain active, with 16 known incidents in February 2022 as of the publishing of this report.</li>
</ul>

<h2>Background</h2>

<p>The 2021 ransomware attack on US-based Colonial Pipeline, which impacted the fuel supply on the East Coast of America for several days, raised awareness of the reality that adversaries are well prepared to launch future cyberattacks globally that could severely impact a country&rsquo;s infrastructure. Now, with confrontations in the Ukrainian region taking on new levels of urgency, there is heightened expectation of future threat actor campaigns against the critical infrastructure of western countries. The campaigns could&nbsp;take the form of ransomware attacks or data wiper attacks, as these have been the highly successful in recent years, especially when combined with supply chain attacks.</p>

<h2>Analysis</h2>

<p>German newspaper <em>Handelsblatt</em> stated the oil companies Oiltanking and Mabanaft had been affected by a ransomware attack on January 29, 2022, that impacted one of the key oil providers in the area. The attacks allegedly caused Shell to re-route their supplies in order to avoid severe impacts to the German fuel supply. Even with these actions, it&rsquo;s been stated that 233 gas stations across Germany have been affected by the incident, resulting in those stations having to run some processes manually and only taking cash payment.</p>

<p>The malware behind these attacks is known as BlackCat ransomware, aka ALPHV, as reported by the same newspaper. The group operates with a ransomware-as-a-service (RaaS) business model, where the ransomware authors are entitled to 10-20% of the ransom payment, while the rest is kept by the affiliates deploying the payload. After a successful attack, victims who refuse to pay the ransom have their details posted on dark web forums to make attacks public, increasing their notoriety and shaming the affected organizations. According to these blogs, at least 10 companies may have been impacted by these ransomware campaigns in the first two weeks of February.</p>

<p>Since the malware family operates as a RaaS, the initial access vector depends on the affiliate party deploying the payload and can vary from one attacker to another. However, all of them appear to attempt to exfiltrate victims&rsquo; data before starting the encryption process, gaining extortion power for subsequent requests.</p>

<p>The BlackCat gang first appeared in mid-November 2021, and its payload is written in the Rust programming language, which is considered to have a similar performance to C/C++, but with better memory management to avoid memory errors and concurrent programming. Additionally, it is a cross platform language, allowing developers to target several operating systems with the same code. For these reasons, it has been voted as the &ldquo;most loved programming language&rdquo; in Stack Overflow since 2016.</p>

<p>Aside from the developing advantages Rust offers, the attackers also take advantage of a lower detection ratio from static analysis tools, which aren&rsquo;t usually adapted to all programming languages. For this same reason, Go Language had become more popular among malware coders during last year, as seen in other blogs&nbsp;released by Alien Labs, including:</p>

<ul>
	<li>Blog <a href="https://cybersecurity.att.com/blogs/labs-research/teamtnt-delivers-malware-with-new-detection-evasion-tool" target="_blank">TeamTNT Delivers Cryptomining Malware Using New Memory Loader</a></li>
	<li>Blog&nbsp;<a href="https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github" target="_blank">BotenaGo</a></li>
</ul>

<p>Rust has been present in malware samples for many years, but BlackCat is the first professionally/commercialized distributed malware family using it, and the most prosperous thus far.</p>

<p>When executed, the malware offers several options for customizing its execution. These options have evolved since its first version, shown in figure 2 which compares one of the first samples available (<a href="https://twitter.com/malwrhunterteam/status/1468713125457371139?s=20&amp;t=W8LkIa-0Wlmj3ExsLvJL5g" target="_blank">reported</a> by MalwareHunterTeain December 2021) to the latest samples/versions.</p>

<p style="text-align:center"><img alt="BlackCat sample" data-original="https://cdn-cybersecurity.att.com/blog-content/blackcat_sample.jpg" /></p>

<p style="text-align:center">Figure 1. @malwrhunterteam screenshot of execution.</p>

<p>Most arguments are optional, but access-token is enforced to bypass the dynamic analysis performed by automated sandboxes. However, any token provided bypasses the restriction and enables malware execution. This token, in addition to the host universally unique identifier (UUID), is later used to identify the victim in a Tor website hosted by the attackers, which displays the price for the files decryptor.</p>

<p>Among these options, Alien Labs has observed how some of them are specific to VMware ESXi. This inclusion follows trends observed in 2021 among other popular RaaS groups, like DarkSide or REvil, &nbsp;who added Linux capabilities to include VMware ESXi in their scope of potential targets. The hypervisor ESXi allows multiple virtual machines (VM) to share the same hard drive storage. However, this also enables attackers to encrypt the centralized virtual hard drives used to store data from across VMs, potentially causing disruptions to companies.</p>

<p>The BlackCat malware has code very similar to its predecessors. It first aims to stop any running VMs in ESXi. By doing this, the attacker ensures no other VM is handling the files to be encrypted, avoiding corruption issues of the encrypted files. Additionally, any ESXi snapshots are removed to harden recovery from the attack.</p>

<p>Additional preparation procedures are performed by the BlackCat malware on Windows systems. For example, it carries out some noisy activities that can be detected with Alien Labs correlation rules, as seen in Appendix A:</p>

<ul>
	<li>Delete Volume Shadow Copies Services to harden recovery from the attack. The command used is &lsquo;vssadmin.exe Delete Shadows /all /quiet&rsquo;.</li>
	<li>Disables the recovery mode in BCDedit: &lsquo;bcdedit.exe /set {default} recoveryenabled No&rsquo;.</li>
	<li>Maximize the value of network requests the Server Service can take by changing the value in the registry to 65535. This change eludes issues accessing too many files at once during the encryption process. The command used is: &lsquo;reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f &rsquo;.</li>
	<li>If enabled, it attempts to propagate with psexec into different systems. The command runs from the %TEMP% folder, leveraging the credentials in the config file and the parent&rsquo;s execution options for propagation options. &lsquo;psexec.exe -accepteula \\{Target} -u {user} -p {password} -s -d -f -c {payload}.exe {inherited execution flags}&rsquo;.</li>
	<li>Clears all the event logs with wevtutil with the command: &lsquo;cmd.exe /c for /F "tokens=*" %1 in (&#39;wevtutil.exe el&#39;) DO wevtutil.exe cl "%1"&rsquo;.</li>
</ul>

<p>In addition to the options shown in figure 1, the latest samples have added three additional functions that increase the ransomware capabilities.&nbsp;These changes maintain the line of work already seen, without including any major changes to the way the malware operates.</p>

<p style="text-align:center"><img alt="latest BlackCat sample" data-original="https://cdn-cybersecurity.att.com/blog-content/latest_sample.jpg" /></p>

<p style="text-align:center">Figure 2. Latest sample executed.</p>

<p>The current default configuration file appended with the latest observed executable, includes among others:</p>

<ul>
	<li>The public key</li>
	<li>The file extension to use for encrypted files, which corresponds to seven alphanumeric characters (<i>0hzoagy</i> for one of the latest samples)</li>
	<li>A ransom note (see figure 3) contains the victim&rsquo;s name multiple times as well as the type of files BlackCat has exfiltrated</li>
	<li>A list of pre-obtained credentials from the victim that are to be used during execution</li>
	<li>A list of services the victim should kill according to the attacker, before executing the encryption process &mdash; usually services modifying files that could corrupt files or backup services that could become counter-productive to the malicious execution. The list includes: mepocs, memtas, veeam, svc$, backup, sql, vss, msexchange, sql$, mysql, mysql$, sophos, MSExchange, MSExchange$, WSBExchange, PDVFSService, BackupExecVSSProvider, BackupExecAgentAccelerator, BackupExecAgentBrowser, BackupExecDiveciMediaService, BackupExecJobEngine, BackupExecManagementService, BackupExecRPCService, GxBlr, GxVss, GxClMgrS, GxCVD, GxCIMgr, GXMMM, GxVssHWProv, GxFWD, SAPService, SAP, SAP$, SAPD$, SAPHostControl, SAPHostExec, QBCFMonitorService, QBDBMgrN, QBIDPService, AcronisAgent, VeeamNFSSvc, VeeamDeploymentService, VeeamTransportSvc, MVArmor, MVarmor64, VSNAPVSS, AcrSch2Svc.</li>
</ul>

<p style="text-align:center"><img alt="BlackCat ransom note" data-original="https://cdn-cybersecurity.att.com/blog-content/blackcat_ransom_note.jpg" /></p>

<p style="text-align:center">Figure 3. Example of ransom note.</p>

<ul>
	<li>A list of processes to be killed before executing the encryption process, with a similar target as the services list: agntsvc, dbeng50, dbsnmp, encsvc, excel, firefox, infopath, isqlplussvc, msaccess, mspub, mydesktopqos, mydesktopservice, notepad, ocautoupds, ocomm, ocssd, onenote, oracle, outlook, powerpnt, sqbcoreservice, sql, steam, synctime, tbirdconfig, thebat, thunderbird, visio, winword, wordpad, xfssvccon, *sql*, bedbh, vxmon, benetns, bengien, pvlsvr, beserver, raw_agent_svc, vsnapvss, CagService, QBIDPService, QBDBMgrN, QBCFMonitorService, SAP, TeamViewer_Service, TeamViewer, tv_w32, tv_x64, CVMountd, cvd, cvfwd, CVODS, saphostexec, saposcol, sapstartsrv, avagent, avscc, DellSystemDetect, EnterpriseClient, VeeamNFSSvc, VeeamTransportSvc, VeeamDeploymentSvc.</li>
	<li>A list of excluded directories, filenames and file extensions to ensure the computer is operative after the encryption.
	<ul>
		<li>Directories: system volume information, intel, $windows.~ws, application data, $recycle.bin, mozilla, $windows.~bt, public, msocache, windows, default, all users, tor browser, programdata, boot, config.msi, google, perflogs, appdata, windows.old.</li>
		<li>Filenames: desktop.ini, autorun.inf, ntldr, bootsect.bak, thumbs.db, boot.ini, ntuser.dat, iconcache.db, bootfont.bin, ntuser.ini, ntuser.dat.log.</li>
		<li>File extensions: themepack, nls, diagpkg, msi, lnk, exe, cab, scr, bat, drv, rtp, msp, prf, msc, ico, key, ocx, diagcab, diagcfg, pdb, wpx, hlp, icns, rom, dll, msstyles, mod, ps1, ics, hta, bin, cmd, ani, 386, lock, cur, idx, sys, com, deskthemepack, shs ,ldf, theme, mpa, nomedia, spl, cpl, adv, icl, msu.</li>
	</ul>
	</li>
</ul>

<p>The ransom note then points to a Tor onion domain with the field &lsquo;access-key=&rsquo; to identify the victim and show the price to recover their files with the Decrypt App. Prices are indicated in Bitcoin and Monero, the latest has a discount over Bitcoin.</p>

<h2>Recommended actions</h2>

<ol>
	<li>Maintain software with the latest security updates.</li>
	<li>Monitor and strongly, regularly communicate to employees to not open and report suspicious emails.</li>
	<li>Use a backup system to backup server files.</li>
	<li>Install Antivirus and/or endpoint detection and response on all endpoints.</li>
	<li>Make sure two-factor authentication is enabled in all services.</li>
</ol>

<h2>Conclusion</h2>

<p>Recent ransomware attacks performed on German oil suppliers were successful, but they did not have a significant impact on the country&#39;s infrastructure. However, considering geo-political events in Eastern Europe, these attacks should serve as a strong reminder that organizations must remain on high alert against cyberattacks. They should examine recent campaigns such as those run with BlackCat malware to educate &nbsp;teams and maintain up-to-date detections for the latest threat actor tactics, techniques, and procedures (TTPs). Like most attacks and threat actor campaigns, BlackCat ransomware can achieve Initial Access using many different variations that are dependent on the affiliate operating the attack. However, the payload will be very similar for infections. Blue teams can use this technical information to improve their readiness against the latest RaaS attacks.</p>

<p>Alien Labs will continue to monitor variations of BlackCat malware and will update any activities on the Alien Labs Open Threat Exchange&trade;, which is a&nbsp;free, global open threat intelligence community&nbsp;with more than 200,000 users publishing updated threat intelligence daily. We deliver this information in the form of &ldquo;pulses&rdquo; that can be shared publicly and privately. In addition, members of OTX can download millions of indicators of compromise (IOCs), including those associated with BlackCat through integration with the platform.</p>

<p>Alien Labs is tracking IOCs associated with the geo-political conflict in Eastern Europe, through tagged pulses that track incident and related threat intelligence. To get the most updated information join OTX and visit this <a href="https://otx.alienvault.com/browse/global/pulses?q=tag:%22geopolitical%20conflict%22&amp;include_inactive=0&amp;sort=-modified&amp;page=1&amp;indicatorsSearch=tag:%22geopolitical,conflict%22" target="_blank">URL</a> to see the full list of pulses associated with potential campaigns that may be related to the Ukranian/Russian conflict and threat actors targeting other countries.&nbsp; &nbsp;</p>

<h2>Appendix A. Detection methods</h2>

<p>The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.</p>

<table style="border-collapse:collapse">
	<tbody>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:1px solid #959595; height:26px; width:623px">
			<p>USM Anywhere Correlation Rules</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:35px; width:623px">
			<p>Removed all snapshots using vimcmd</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:623px">
			<p>Windows Shadow Copies Deletion</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:623px">
			<p>Windows PSExec Usage</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:623px">
			<p>Windows PSExec Service Usage</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:623px">
			<p>Windows SMB Server Maximum Concurrent Requests Set To Maximum Value</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:623px">
			<p>Windows Event Log Removed with wevtutil</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:623px">
			<p>Suspicious Bcdedit Usage</p>
			</td>
		</tr>
	</tbody>
</table>

<p>&nbsp;</p>

<table style="border-collapse:collapse">
	<tbody>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:1px solid #959595; height:26px; width:623px">
			<p><strong>YARA RULES</strong></p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:35px; width:623px">
			<pre>
rule BlackCat : WindowsMalware {&#10;&#10;   meta:&#10;&#10;      author = "AlienLabs"&#10;&#10;      description = "Detects BlackCat payloads."&#10;&#10;      SHA256 = "6660d0e87a142ab1bde4521d9c6f5e148490b05a57c71122e28280b35452e896"&#10;&#10;&#10;    strings:&#10;&#10;&#10;        $rust = "/rust/" ascii wide&#10;&#10;&#10;        $a0 = "vssadmin.exe Delete Shadows /all /quietshadow" ascii&#10;&#10;        $a1 = "bcdedit /set {default}bcdedit /set {default} recoveryenabled No" ascii wide&#10;&#10;        $a2 = "Services\\LanmanServer\\Parameters /v MaxMpxCt /d 65535" ascii wide&#10;&#10;        $a3 = ".onion/?access-key=${ACCESS_KEY}" ascii wide&#10;&#10;&#10;        $b0 = "config_id" ascii&#10;&#10;        $b1 = "public_key" ascii&#10;&#10;        $b2 = "extension" ascii&#10;&#10;        $b3 = "note_file_name" ascii&#10;&#10;        $b4 = "enable_esxi_vm_kill" ascii&#10;&#10;        $b5 = "enable_esxi_vm_snapshot_kill" ascii&#10;&#10;&#10;&#10;    condition:&#10;&#10;        uint16(0) == 0x5A4D and filesize &lt; 5MB and $rust and 2 of ($a*) and 3 of ($b*)&#10;&#10;}</pre>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:50px; width:623px">
			<pre>
rule LinuxBlackCat : LinuxMalware {&#10;&#10;    meta:&#10;&#10;        author = "AlienLabs"&#10;&#10;        description = "Detects BlackCat payloads."&#10;&#10;        SHA256 = "5121f08cf8614a65d7a86c2f462c0694c132e2877a7f54ab7fcefd7ee5235a42"&#10;&#10;    strings:&#10;&#10;        $rust = "/rust/" ascii wide&#10;&#10;        $a0 = "esxcli vm process kill --type=force --world-id=" ascii wide&#10;&#10;        $a1 = ".onion/?access-key=${ACCESS_KEY}" ascii wide&#10;&#10;&#10;        $b0 = "config_id" ascii&#10;&#10;        $b1 = "public_key" ascii&#10;&#10;        $b2 = "extension" ascii&#10;&#10;        $b3 = "note_file_name" ascii&#10;&#10;        $b4 = "enable_esxi_vm_kill" ascii&#10;&#10;        $b5 = "enable_esxi_vm_snapshot_kill" ascii&#10;&#10;&#10;    condition:&#10;&#10;        uint32(0) == 0x464c457f and filesize &lt; 5MB and $rust and all of ($a*) and 3 of ($b*)&#10;&#10;}</pre>
			</td>
		</tr>
	</tbody>
</table>

<h2>Appendix B. Associated indicators (IOCs)</h2>

<p>The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the <a href="https://otx.alienvault.com/pulse/621c64d6f3cf5efc2e999c9a" target="_blank">OTX Pulse</a>. Please note, the pulse may include other activities related but out of the scope of the report.</p>

<table style="border-collapse:collapse">
	<tbody>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:1px solid #959595; height:26px; width:97px">
			<p>TYPE</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:1px solid #959595; height:26px; width:311px">
			<p>INDICATOR</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:1px solid #959595; height:26px; width:216px">
			<p>DESCRIPTION</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>f2b3f1ed693021b20f456a058b86b08abfc4876c7a3ae18aea6e95567fd55b2e</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>cefea76dfdbb48cfe1a3db2c8df34e898e29bec9b2c13e79ef40655c637833ae</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>7e363b5f1ba373782261713fa99e8bbc35ddda97e48799c4eb28f17989da8d8e</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>f837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>7b2449bb8be1b37a9d580c2592a67a759a3116fe640041d0f36dc93ca3db4487</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>38834b796ed025563774167716a477e9217d45e47def20facb027325f2a790d1</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>40f57275721bd74cc59c0c59c9f98c8e0d1742b7ae86a46e83e985cc4039c3a5</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>b588823eb5c65f36d067d496881d9c704d3ba57100c273656a56a43215f35442</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>f815f5d6c85bcbc1ec071dd39532a20f5ce910989552d980d1d4346f57b75f89</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>c5ad3534e1c939661b71f56144d19ff36e9ea365fdb47e4f8e2d267c39376486</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>7154fdb1ef9044da59fcfdbdd1ed9abc1a594cacb41a0aeddb5cd9fdaeea5ea8</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>658e07739ad0137bceb910a351ce3fe4913f6fcc3f63e6ff2eb726e45f29e582</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>5bdc0fb5cfbd42de726aacc40eddca034b5fa4afcc88ddfb40a3d9ae18672898</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>c8b3b67ea4d7625f8b37ba59eed5c9406b3ef04b7a19b97e5dd5dab1bd59f283</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>bd337d4e83ab1c2cacb43e4569f977d188f1bb7c7a077026304bf186d49d4117</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>28d7e6fe31dc00f82cb032ba29aad6429837ba5efb83c2ce4d31d565896e1169</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>4e18f9293a6a72d5d42dad179b532407f45663098f959ea552ae43dbb9725cbf</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>1af1ca666e48afc933e2eda0ae1d6e88ebd23d27c54fd1d882161fd8c70b678e</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>722f1c1527b2c788746fec4dd1af70b0c703644336909735f8f23f6ef265784b</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>d767524e1bbb8d50129485ffa667eb1d379c745c30d4588672636998c20f857f</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>aae77d41eba652683f3ae114fadec279d5759052d2d774f149f3055bf40c4c14</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>be8c5d07ab6e39db28c40db20a32f47a97b7ec9f26c9003f9101a154a5a98486</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>9f6876762614e407d0ee6005f165dd4bbd12cb21986abc4a3a5c7dc6271fcdc3</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>79802d6a6be8433720857d2b53b46f8011ec734a237aae1c3c1fea50ff683c13</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>2cf54942e8cf0ef6296deaa7975618dadff0c32535295d3f0d5f577552229ffc</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>bacedbb23254934b736a9daf6de52620c9250a49686d519ceaf0a8d25da0a97f</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>67d1f4077e929385cfd869bf279892bf10a2c8f0af4119e4bc15a2add9461fec</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>5a604a8f0e72f3bf7901b7b67f881031a402ab8072269c00233a554df548f54d</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>6660d0e87a142ab1bde4521d9c6f5e148490b05a57c71122e28280b35452e896</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Windows BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>f8c08d00ff6e8c6adb1a93cd133b19302d0b651afd73ccb54e3b6ac6c60d99c6</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Linux BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>5121f08cf8614a65d7a86c2f462c0694c132e2877a7f54ab7fcefd7ee5235a42</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Linux BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>3a08e3bfec2db5dbece359ac9662e65361a8625a0122e68b56cd5ef3aedf8ce1</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Linux BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>f7a038f9b91c40e9d67f4168997d7d8c12c2d27cd9e36c413dd021796a24e083</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Linux BlackCat Payload</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:33px; width:97px">
			<p>SHA256</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:311px">
			<p>9802a1e8fb425ac3a7c0a7fca5a17cfcb7f3f5f0962deb29e3982f0bece95e26</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:33px; width:216px">
			<p>Linux BlackCat Payload</p>
			</td>
		</tr>
	</tbody>
</table>

<div style="page-break-after: always"><span style="display: none;">&nbsp;</span></div>

<h2>Appendix C. Mapped to MITRE ATT&amp;CK</h2>

<p>The findings of this report are mapped to the following <a href="https://attack.mitre.org/" target="_blank">MITRE ATT&amp;CK Matrix</a> techniques:</p>

<ul>
	<li>TA0005: Defense Evasion
	<ul>
		<li>T1070: Indicator Removal on Host
		<ul>
			<li>T1070.001: Clear Windows Event Logs</li>
		</ul>
		</li>
		<li>T1078: Valid Accounts
		<ul>
			<li>T1078.003: Local Accounts</li>
		</ul>
		</li>
		<li>T1562: Impair Defenses
		<ul>
			<li>T1562.001: Disable or Modify Tools</li>
		</ul>
		</li>
	</ul>
	</li>
	<li>TA0010: Exfiltration
	<ul>
		<li>T1048: Exfiltration Over Alternative Protocol
		<ul>
			<li>T1048.002: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol</li>
		</ul>
		</li>
	</ul>
	</li>
	<li>TA0040: Impact
	<ul>
		<li>T1486: Data Encrypted for Impact</li>
	</ul>
	</li>
</ul>

<h2>Appendix D. Reporting context</h2>

<p>The following list of sources was used by the report author(s) during the collection and analysis process associated with this intelligence report.</p>

<ol>
	<li>https://www.varonis.com/blog/alphv-blackcat-ransomware</li>
	<li>https://unit42.paloaltonetworks.com/blackcat-ransomware</li>
</ol>

<p>Alien Labs rates sources based on the <a href="https://www.first.org/global/sigs/cti/curriculum/source-evaluation" target="_blank">Intelligence source and information reliability rating system</a> to assess the reliability of the source and the assessed level of confidence we place on the information distributed. The following chart contains the range of possibilities, and the selection applied to this report..</p>

<h3>Source reliability A1</h3>

<table style="border-collapse:collapse">
	<tbody>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:1px solid #959595; height:10px; width:148px">
			<p>RATING</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:1px solid #959595; height:10px; width:474px">
			<p>DESCRIPTION</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:35px; width:148px">
			<p>A - Reliable</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:35px; width:474px">
			<p>No doubt about the source&#39;s authenticity, trustworthiness, or competency. History of complete reliability.</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:15px; width:148px">
			<p>B - Usually Reliable</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:15px; width:474px">
			<p>Minor doubts. History of mostly valid information.</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:12px; width:148px">
			<p>C - Fairly Reliable</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:12px; width:474px">
			<p>Doubts. Provided valid information in the past.</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:15px; width:148px">
			<p>D - Not Usually Reliable</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:15px; width:474px">
			<p>Significant doubts. Provided valid information in the past.</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:12px; width:148px">
			<p>E - Unreliable</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:12px; width:474px">
			<p>Lacks authenticity, trustworthiness, and competency. History of invalid information.</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:15px; width:148px">
			<p>F - Reliability Unknown</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:15px; width:474px">
			<p>Insufficient information to evaluate reliability. May or may not be reliable.</p>
			</td>
		</tr>
	</tbody>
</table>

<p>&nbsp;</p>

<h3>Information reliability A2</h3>

<table style="border-collapse:collapse">
	<tbody>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:1px solid #959595; height:11px; width:132px">
			<p>RATING</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:1px solid #959595; height:11px; width:491px">
			<p>DESCRIPTION</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:11px; width:132px">
			<p>1 - Confirmed</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:11px; width:491px">
			<p>Logical, consistent with other relevant information, confirmed by independent sources.</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:12px; width:132px">
			<p>2 - Probably True</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:12px; width:491px">
			<p>Logical, consistent with other relevant information, not confirmed.</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:11px; width:132px">
			<p>3 - Possibly True</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:11px; width:491px">
			<p>Reasonably logical, agrees with some relevant information, not confirmed.</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:12px; width:132px">
			<p>4 - Doubtfully True</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:12px; width:491px">
			<p>Not logical but possible, no other information on the subject, not confirmed.</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:13px; width:132px">
			<p>5 - Improbable</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:13px; width:491px">
			<p>Not logical, contradicted by other relevant information.</p>
			</td>
		</tr>
		<tr>
			<td style="border-bottom:1px solid #959595; border-left:1px solid #959595; border-right:1px solid #959595; border-top:none; height:14px; width:132px">
			<p>6 - Cannot be judged</p>
			</td>
			<td style="border-bottom:1px solid #959595; border-left:none; border-right:1px solid #959595; border-top:none; height:14px; width:491px">
			<p>The validity of the information can not be determined.</p>
			</td>
		</tr>
	</tbody>
</table>

<h2>Feedback</h2>

<p>AT&amp;T Alien Labs welcomes feedback about the reported intelligence and delivery process. Please contact the Alien Labs report author or contact <a href="mailto:labs@alienvault.com">labs@alienvault.com</a>.</p>
									</div>
									<div class="blog-related">
									<div class="be-ix-link-block"></div>
									</div>
								</div>
								<div class="blog-share">
									<h3>Share this with others</h3>
									<div class="blog-share-social-icons">

										<div class="sharethis-inline-share-buttons"></div>
									</div>
								</div>



								<div class="blog-categories">
								<p style="margin-bottom: 0px;">Tags: <a href="/blogs/tag/ransomware" title="ransomware" rel="nofollow">ransomware</a>, <a href="/blogs/tag/blackcat" title="blackcat" rel="nofollow">blackcat</a>, <a href="/blogs/tag/alphv" title="alphv" rel="nofollow">alphv</a></p>
								</div>

							</div>
							
							<div class="col-sm-4 col-md-offset-1">
								<div>
									<div class="blog-sidebar-block">
    <form id="searchbox_002748587151982842036:gharkgtx6cu" action="/search-results/blog" class="sidebar-search">
        <input value="002748587151982842036:gharkgtx6cu" name="cx" type="hidden" />
        <input value="FORID:11" name="cof" type="hidden" />
        <div class="search-button">
            <input value="Search" name="sa" type="submit" />
        </div>
        <div class="search-field">
            <input id="q" name="q" type="text" aria-label="Search our blogs" placeholder="Search our blogs" />
        </div>
    </form>
</div>

									<div class="promo-block">
										
													
			<style type="text/css">#blog-promo-block-v2 .blog-promo-item-v2 {
    box-shadow: 1px 1px 5px #D2D2D229;
    border: 1px solid #D2D2D2;
    margin-bottom: 30px;
}
#blog-promo-block-v2 .blog-promo-item-v2 .blog-promo-resource-type-v2 {
    font-size: 14px;
    color: #0568AE;
    font-weight: 500;
    padding: 15px;
    margin: 0;
}
#blog-promo-block-v2 .blog-promo-item-v2 .blog-promo-item-text-v2 {
    margin-bottom:15px;
}
#blog-promo-block-v2 .blog-promo-item-v2 .blog-promo-item-text-v2 a {
    color: black;
    text-decoration: none;
    font-weight: 500;
}
#blog-promo-block-v2 .blog-promo-item-v2 .blog-promo-item-text-v2 p {
   margin: 0 15px;
}

#blog-promo-block-v2 .blog-promo-item-icon-v2 {
   margin: 15px;
   font-size: 16px;
}
#blog-promo-block-v2 .blog-promo-item-icon-v2 .icon-right {
    width: 20px;
    height: 20px;
    border: 1px solid #0568ae;
    border-radius: 20px;
    font-size: 9.5px;
    line-height: 18px;
    font-weight: 400;
    margin-right: 10px;
    padding-left: 4px;
    top: -1px;
}
@media (max-width: 1024px) {
 .blog-promo-item-v2 img {
    display: none;
  }
}
</style>
<div id="blog-promo-block-v2">
<h3>Featured resources</h3>

<div class="blog-promo-item-v2"><img alt="" src="https://cdn-cybersecurity.att.com/images/uploads/resource-images/5g-and-the-journey.jpg" />
<p class="blog-promo-resource-type-v2">INDUSTRY REPORT</p>

<div class="blog-promo-item-text-v2">
<p><a href="/resource-center/industry-reports/cybersecurity-insights-report-tenth-edition">AT&amp;T Cybersecurity Insights&trade; Report:<br />
5G and the Journey to the Edge</a></p>
</div>

<div class="blog-promo-item-icon-v2"><span aria-hidden="true" class="icon-right glyphicon glyphicon-chevron-right">&nbsp;</span> <a href="/resource-center/industry-reports/cybersecurity-insights-report-tenth-edition">Learn more</a></div>
</div>

<div class="blog-promo-item-v2"><img alt="" src="https://cdn-cybersecurity.att.com/images/uploads/resource-images/security-maturity-assessment.jpg" />
<p class="blog-promo-resource-type-v2">SELF ASSESSMENT</p>

<div class="blog-promo-item-text-v2">
<p><a href="/resource-center/security-maturity-assessment?utm_internal=blog-rail-assess">Benchmark your cybersecurity maturity</a></p>
</div>

<div class="blog-promo-item-icon-v2"><span aria-hidden="true" class="icon-right glyphicon glyphicon-chevron-right">&nbsp;</span> <a href="/resource-center/security-maturity-assessment?utm_internal=blog-rail-assess">Explore</a></div>
</div>
</div>
		
										

									</div>
								</div>
							</div>
						</div>
					</div>
				</section>


			</main>


			
			<style>

    /* Sticky button */
    .desktop .sticky_bottom_keeper {
        height: 80px;
    }
    .sticky_bottom_desktop.fixed {
        height: 80px;
    }
    .sticky_bottom_keeper .btn {
        color: #fff;
    }
    .sticky_bottom_keeper .btn-white {
        border: 2px solid #fff;
    }
    .sticky_bottom_keeper .btn-white.btn-border {
        background: transparent;
    }




    .line.line-8 {
        height: 8px;
    }

    .hh .sticky_bottom_keeper {
        display: none;
    }


</style>
<div class="sticky_bottom_keeper">

    <div class="sticky_bottom sticky_bottom_desktop ibp">
        <a href="/pricing/request-quote?utm_internal=sb_quote" class="btn btn-border btn-white btn-rounded btn-with-arrow">Get price</a>
        <a href="/products/usm-anywhere/free-trial?utm_internal=sb_freetrial_modal" class="btn btn-border btn-white btn-rounded btn-with-arrow">Free trial</a>

    </div>

</div>

			
		


		<footer id="footer" class="hidden-print">
  <div class="container-fluid">
    <div class="row">
      <div class="col-sm-6 col-md-3">
        
        <div class="footer_logo"><a href="https://business.att.com" target="_blank" rel="noopener"><img src="data:image/svg+xml;utf8,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20width%3D%22263px%22%20height%3D%2256px%22%3E%3Crect%20fill%3D%22none%22%20width%3D%22263%22%20height%3D%2257%22%2F%3E%3C%2Fsvg%3E" data-original="https://cdn-cybersecurity.att.com/images/uploads/logos/att_biz_hz_pref_rgb_white.png" alt="AT&T Business"></a></div>
        <div class="footer_featured">

          <div class="footer_featured_title">From the Blog</div>
          <article class="footer_featured_article">
            <div class="footer_featured_article_author clearfix">
	            
										<img src="data:image/svg+xml;utf8,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20width%3D%22150px%22%20height%3D%22150px%22%3E%3Crect%20fill%3D%22none%22%20width%3D%22150%22%20height%3D%22150%22%2F%3E%3C%2Fsvg%3E" data-original="/avatars/uploads/avatar_282_1.jpg" width="150" height="150" alt="Carisa Brockman" />
									
              <div class="footer_featured_article_author_data">
                <h4>Carisa Brockman</h4>
                <time datetime="2022-05-29">Mar 29, 2022</time>
              </div>
            </div>
            <h3><a href="https://cybersecurity.att.com/blogs/security-essentials/healthcare-focus-need-for-resilience" id="footer-link-blog-post">Healthcare focus:  Need for resilience</a></h3>
          </article>
          <a id="footer-link-blog-all" href="/blogs" class="footer_featured_more">Explore All Blog Posts
            &#8250;</a>
        </div>
        

        <div class="social-style">
          <a href="https://www.twitter.com/attcyber/" class="social-link-twitter" target="_blank">Twitter</a>
          <a href="https://www.linkedin.com/company/attcybersecurity/" class="social-link-linkedin" target="_blank">Linkedin</a>
          <a href="https://www.facebook.com/ATTCyber/" class="social-link-facebook" target="_blank">Facebook</a>
          <a href="https://www.youtube.com/c/attcybersecurity" class="social-link-youtube" target="_blank">Youtube</a>
          <a href="https://www.instagram.com/attbusiness/" class="social-link-instagram" target="_blank">Instagram</a>
        </div>
      </div>

      <div class="col-sm-6 col-md-3">
        <div class="footer_links">
          <div class="heading">Who We Are</div>
          <ul>
            <li><a id="footer-link-labs" href="/alien-labs">Alien Labs</a></li>
            <li><a id="footer-link-customers" href="/who-we-are/customers">Customers</a></li>
            <li><a id="footer-link-careers" href="/who-we-are/careers">Careers</a></li>
            <li><a id="footer-link-contact" href="/contact">Contact Us</a></li>
          </ul>
        </div>

        <div class="footer_links">
          <div class="heading">News</div>
          <ul>
            <li><a id="footer-link-news-room" href="/who-we-are">Newsroom</a></li>
            <li><a id="footer-link-events" href="/who-we-are/events">Events</a></li>
            <li><a id="footer-link-blogs" href="/blogs">Blogs</a></li>
          </ul>
        </div>

        <div class="footer_links">
          <div class="heading">Partners</div>
          <ul>
            <li><a id="footer-link-partners" href="/partners">Partner Programs</a></li>
            <li><a id="footer-link-partner-portal" href="/partners/partner-portal/">Partner Portal</a></li>
          </ul>
        </div>
      </div>

      <div class="col-sm-6 col-md-3">
        <div class="footer_links">
          <div class="heading">Products</div>
          <ul>
		  	<li><a id="footer-link-mtdr" href="/products/managed-threat-detection-and-response">AT&T Managed Threat Detection and Response</a></li>
            <li><a id="footer-link-usm-anywhere" href="/products/usm-anywhere">USM Anywhere</a></li>
            <li><a id="footer-link-usm-mssp" href="/products/usm-for-mssp">XDR for MSSPs</a></li>
            <li><a id="footer-link-otx" href="/open-threat-exchange">Open Threat Exchange (OTX)</a></li>
            <li><a id="footer-link-ossim" href="/products/ossim">OSSIM</a></li>

          </ul>
        </div>



        <div class="footer_links">
          <div class="heading">Solutions</div>
          <ul>
            <li><a id="footer-link-cloud-security" href="/solutions/cloud-security-monitoring">Cloud Security Monitoring</a></li>
            <li><a id="footer-link-threat-detection" href="/solutions/threat-detection">Threat Detection</a></li>
            <li><a id="footer-link-ids" href="/solutions/intrusion-detection-system">Intrusion Detection</a></li>
            <li><a id="footer-link-siem" href="/solutions/siem-platform-solutions">SIEM platform solutions</a></li>
            <li><a id="footer-link-vulnerability" href="/solutions/vulnerability-assessment-remediation">Vulnerability
                Assessment</a></li>
            <li><a id="footer-link-all-solutions" class="btn-with-arrow" href="/solutions">See All Solutions</a></li>
          </ul>
        </div>
      </div>

      <div class="col-sm-6 col-md-3">
        <div class="footer_links">
          <div class="heading">Resources</div>
          <ul>
            <li><a id="footer-link-resources" href="/resource-center">Resources</a></li>
            <li><a id="footer-link-blog" href="/blogs">Blogs</a></li>
            <li><a id="footer-link-reference-guide" href="https://www.business.att.com/content/dam/attbusiness/guides/att-information-and-network-security-customer-reference-guide.pdf" target="_blank">Customer Reference Guide</a></li>

          </ul>
        </div>

        <div class="footer_links">
          <div class="heading">Customer Success</div>
          <ul>
            <li><a id="footer-link-support" href="/support">Support &amp; Services</a></li>
            <li><a id="footer-link-customer-portal" href="https://success.alienvault.com" target="_blank">Success Center</a></li>
            <li><a id="footer-link-documentation" href="/documentation">Documentation Center</a></li>
            <li><a id="footer-link-classroom-training" href="/training">Training</a></li>
            <li><a id="footer-link-certification" href="/certification">Certification</a></li>
          </ul>
        </div>

        <div class="footer_contact">
          <a href="/contact" id="footer-button-contact" class="btn btn-blue margin-bottom20">Contact us</a>
        </div>
      </div>
    </div>
    <div class="footer_legal">
      <p class="footer_legal_copy">&copy; Copyright 2022</p>
      <ul class="footer_legal_links">
        <li><a id="footer-link-privacy" href="/legal/privacy-policy">Privacy Policy</a></li>
        <li><a id="footer-link-terms" href="/terms/website-terms-of-use07may2018">Website Terms of Use</a></li>
        <li><a id="footer-link-gdpr" href="/legal/gdpr">GDPR</a></li>
        <li><a id="footer-link-cookie" href="/legal/cookie-policy">Cookie Policy</a></li>
        <li><a id="footer-link-personal-info" href="https://about.att.com/csr/home/privacy/rights_choices.html" target="_blank">Do Not Sell My Personal Information</a></li>

      </ul>
    </div>
  </div>
</footer>

<div id="valid_content"></div>

		
	<script src="https://cdn-cybersecurity.att.com/js/v2/imports/blog-bundle.min.js?v=20220322283940" defer></script>






		



<div class="cookie-notice">
    <p>We use cookies to provide you with a great user experience. By using our website, you agree to our <a href="https://www.att.com/privacy">Privacy Policy</a> and <a href="/terms/website-terms-of-use07may2018">Website Terms of Use</a>.</p>
    <a class="cookie-notice-close" href="#" aria-label="Close Cookie Notice"><span class="glyphicon glyphicon-remove"></span></a>
</div>


<!-- WGT-10310 -->

<!-- END WGT-10310 -->

<script type="text/javascript" async src="https://cdn-cybersecurity.att.com/js/v2/imports/vidyard-av.js" ></script>
<script type="text/javascript" defer src="//play.vidyard.com/embed/v4.js"></script>
<script type="text/javascript" defer src="//play.vidyard.com/v1/progress-events.js"></script>




<script>
if (typeof ddo !== "undefined") {initAdobePageTrackingFooter();}

function initAdobePageTrackingFooter() {
    
    customAdobeTrackingPageLoadObj['page.pageInfo.pageTitle'] = document.title.trim();

    

    customAdobeTrackingPageLoadObj['page.pageInfo.friendlyPageName'] = 'CYB '+ document.title.trim() +' Pg';

    customAdobeTrackingPageLoadObj['page.pageInfo.language'] = 'EN';
    customAdobeTrackingPageLoadObj['page.pageInfo.lineOfBusiness'] = 'Business Solutions';
    customAdobeTrackingPageLoadObj['page.category.pageFunction'] = 'Learn';
    customAdobeTrackingPageLoadObj['page.category.pageOwnership'] = 'Business';
    customAdobeTrackingPageLoadObj['page.attributes.applicationName'] = 'CYB';
    customAdobeTrackingPageLoadObj['page.pageInfo.appCode'] = 'ACS';
    customAdobeTrackingPageLoadObj['page.category.siteSection'] = 'CYB';
    customAdobeTrackingPageLoadObj['page.category.siteSection'] = 'CYB';
    customAdobeTrackingPageLoadObj['page.media.class'] = 'Text';
    customAdobeTrackingPageLoadObj['page.media.category'] = 'Security';
    customAdobeTrackingPageLoadObj['page.location.domain'] = window.location.hostname;
	ddo.pushEvent('pageLoad', 'Page_Load', customAdobeTrackingPageLoadObj);
}
</script>


		<script>
			window.addEventListener('DOMContentLoaded', function() {
				$(window).load(function () {
					var hideSubscribe = AV.Utilities.readCookie('stickyBlogSubscribe');
					// if the cookie hasn't been set...
					if (hideSubscribe == null) {
						setTimeout(function () {
							// make the modal appear
							$('#blog-subscribe-box').fadeIn();
						}, 10000);

						// when the "Close" button is clicked
						$('.blog-subscribe-close-btn').click(function (e) {
							e.preventDefault();
							// set the cookie
							AV.Utilities.setCookie('stickyBlogSubscribe', true, 1);
							$('#blog-subscribe-box').fadeOut();
						});
					}
				});
			});
		</script>

	<script type="text/javascript"  src="/cVRRH7UofO/YK3izN/60Vr/GuhOSftzOJcO/RhRKT3wpKgg/Nho-dk/Z5aQEB"></script></body>
</html>
